Q, Qualys. 


ServiceNow Vulnerability Response 
Integration with Qualys WAS 


User Guide 
Version 1.2.0 


June 15, 2022 


Copyright 2019-2022 by Qualys, Inc. All Rights Reserved. 


Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks 
are the property of their respective owners. 


Qualys, Inc. 

919 E Hillsdale Blvd| 
4th Floor 

Foster City, CA 94404 
1 (650) 801 6100 


Table of Contents 


Aboüt this GUIde aes susiidesnsaatannisanitannmeensaieansesanankiamingmasnninaiandndnsnantamennianasanedaannanaan 4 
ADOUCQUAIYS: souks onte ee S E AEE A EE SE A E edema EA Suadebads 4 
Qüalys SUPPÖTT asror seoniirisrnis enna eia EEEE EAE TEE aE REISS 4 
Welcome to Vulnerability Response Integration with Qualys WAS....5 
Rey a isis sicieds see E ia i ognedatbdanaseabyeccassas T 5 
Pre FOQUISIUCS <p: cca E E meat tenseatenceca et acetate es sone eevee utes eat ee 5 
Get SEIS ieiisaes cccecnatcencasnadnandeteadssddnntnndnndidatnstetastinainadennanaandanndidancasaactamanandanbeaonn 6 
Install the Applica HOR: sonion ioiei i bn endaaides EEEa EEEE EA E N 6 
GOMMOUTC the APPLICA MOL oireann e E E E conan ne ee 7 
Qualys WAS INte@QLratiOns.......ccccccccescsesseseeeessssssssssssseacscsceeeseensnseseneneneeseeeeeeess 10 
Using the Qualys WAS Integra VON? ss.saiveccessacesievs iai E E E aai AEN 11 
Viewing Qualys WAS Data in ServiceNOW ......:cccscscessessssssssssesssssssesseeneeeees 13 
Viewing Web Application List Data in ServiceNOW 00... ecceceececteeeceeteeeseeteeeneesteeeseeseeenees 13 
Viewing Web Application Vulnerable Item in ServiceNOW oo... eeeeeceeceeeeeteeteeeteeneeeteeenes 14 
Viewing Qualys KnowledgeBase Data in Servic@NOw  ..icccissucasssescsossoaasvediaienssndaniiaro betes 14 
Viewing Web Application Scan Summary data in ServiceNOW i.e 15 
Field Mappings Table ..........ccs:s:scssssssssssescsnscscsceeeeeeeeseseeeeeeeeeeeseeeeeesnseaaeneeeeeess 16 
Qualys KnowledgeBase Integration tiise airina eaei e riana IENS E 16 
Qualys Web Application Vulnerable Item Integration jscccsiveassicisaaverdecsmavansccbvavend whastounseces 18 
Qualys Web Application List Treat a TiGi:. 5s sccsaacieseieeninaadberbenrceesdoudarmeoncennennsedbenlas 20 
Qualys Web Application Scan Summary Integration 6c csssisiciiemascasaiirscspnarncaieevans 21 


Known ISSUCS/LIMItTATIONS.........:ccscseeseeeeeeeeeseecsceceeeeeeeececeecececececeeceeeceeceneneenens 22 


About this Guide 
About Qualys 


About this Guide 


Welcome to Qualys Cloud Platform! In this guide, we will show you how to integrate the Qualys 
WAS module with ServiceNow’s Application Vulnerability Response app. On successful integration, 
you will be able to run web application scans on the Qualys WAS app and then sync the findings and 
vulnerabilities from the scan to the ServiceNow Application Vulnerability Response app. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/ 
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Welcome to Vulnerability Response Integration 
with Qualys WAS 


Qualys Web Application Scanning (WAS) provides organizations with the ease of use, 
centralized management and integration capabilities they need to keep the attackers at 
bay and their web applications secure. Qualys WAS enables organizations to assess, track 
and remediate web application vulnerabilities. 


With Vulnerability Response Integration with Qualys WAS, Qualys leverages the WAS APIs 
to integrate with ServiceNow. Use this integration to get a single glass pane view of all 
your web application scans in ServiceNow. 


Key Features 
- View all WAS-related QIDs from within ServiceNow 
- Run web application scans with Qualys WAS and view their results on ServiceNow 


- View the list of all web applications scanned by Qualys in ServiceNow 


Pre-requisites 


You must have a valid Qualys account subscription with API access and access to the Web 
Application Security (WAS) module. 


To use this integration with ServiceNow, also ensure that you have access to the 
Vulnerability Response app on ServiceNow. 


Refer to the ServiceNow Documentation for information on installing and accessing this 
application in ServiceNow. 


Get Started 
Install the Application 


Get Started 


Here we will help you with the initial configuration and setup needed to get started. 


Quick Steps 


- Install the Application 
- Configure the Application- Provide the API source details and test the connection to 
ensure the connection between ServiceNow and the defined source is working fine. 


Install the Application 
Visit the ServiceNow Online Store. 


Search for Qualys WAS App, and click Contact Seller. Your Technical Account Manager 
(TAM) will contact you, and then ServiceNow provisions the app into an instance of your 
choice. The app then appears in the “Downloads” list of your instance. Click “Install” to 
start using the app. 


In the Search field, type Qualys WAS, and then select Qualys WAS App from the left pane. 
After you are done, new module appears in your ServiceNow instance. 


Get Started 
Configure the Application 


Configure the Application 


Once you install the Vulnerability Response Integration with Qualys WAS app, you will 
need to configure it. Go to Qualys WAS Integration > Configuration to begin configuring 
the app. 


On the Qualys Web Application Vulnerability Configuration page, enter the following 
details: 


Step 1 


Qualys API Server URL: Enter the API Server URL as per your subscription. For 
information on your API Server URL, refer the Identify your Qualys Platform page. 


Username and Password: Enter valid Qualys Cloud Platform credentials for an account 
on the selected POD. Ensure that the credentials you use has API access enabled. 
servicenow Service Management Q seminar = Qe O) 8 


Filternavgator < Qualys Web Application Vulnerability Configuration 


| ‘Allows Web Application security information to be downloaded from Qualys 


Vulnerability Calculators $ QualysAPiSeverURL hitps:|/qualysapiqg2 apps.qualyscom 
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Integrations 
Select this check box to manage your application vulnerability triagingin Servicelow. 
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Qualys WAS integration 


Integrations 


Y Configuration | 4 


Qualys Credentias | 


WAS Detections Filter 


Triaging in ServiceNow: This checkbox enables the support for the “Automatic Triage of 
Vulnerabilities” feature in the Vulnerability Response remediation workflow of the 
ServiceNow Vulnerability Response application. 


Select this check-box to map the vulnerability (detection) state in the Vulnerable Items 
table, that is, AVIT table (sn_vul_app_vulnerable_item) as per the Triage map maintained 
in the sn_vul_app_state_map table. The detection state is mapped based on its source 
state and respective mapping to the Target Triage state. Refer to the screenshot for the 
default mapping configuration. 
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Configure the Application 


The Target Triage state is the configurable; hence you can make changes in the 
sn_vul_app_state_map table as per your triaging criteria. 
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Use the Save and Test Credentials button to test the connection between ServiceNow and 
Qualys WAS. A success message is displayed when the connection is tested successfully. 


Step 2 


Select the required filters from WAS Detection Filter. These filters are only applicable to 


Qualys Web Application Vulnerable Item Integration. 


SEFVICENAW. senicemanagement 


= Filter Qualys WAS Detection 


< created 2021-08-02 01:13:34 


Qualys Findings/Detections Import Filters 


| uncheck this option if you wish to sync only confirmed vulnerabilities. 
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@ E oe | update! 


Home 
Potential Vulnerabilities 
Qualys WAS Integration 


Integrations à 
x Severity Level 


Y Configuration 


Selectall or desired severity levels ofthe detections that you wish to sync. Selection ofat least one Severity level is necessary. 


Qualys Credentials Severity1 
WAS Detections Filter Severity2 
Y Support Severity3 
README Severity 4 


Severity 5 


Vulnerability Type 


Select the All or the desired Vulnerability type to be synced. At least one selection is necessary. 


INFORMATION_GATHERED 
SENSITIVE_CONTENT 


VULNERABILITY 


Finding Type 


v 


v 


v] 


Select the All or the desired Finding type to be synced. At least one selection Is necessary. 


Qualys 


Others (Burp, Bugcrowd, etc.) 


Update 


v] 


Get Started 
Configure the Application 


Select the required filters to sync WAS detections based on Severity level, Vulnerability 
and Finding type. Configured filters will be applicable to both Confirmed and Potential 
detections or, just Confirmed detection, based on selection of the Potential Vulnerabilities 
check-box. 


By default, all the check-boxes are selected and hence ‘Qualys Web Application Vulnerable 
Item Integration’ run will sync all the detections available in Qualys WAS module. 


Qualys WAS Integrations 


Qualys WAS Integrations 


The Vulnerability Response Integration with Qualys WAS app offers four integrations. 
Access Qualys WAS Integration from the left panel and then click Integrations to view 
these integrations. 


1. Qualys KnowledgeBase Integration - Syncs the WAS-related KnowledgeBase entries 
from the Qualys KnowledgeBase with ServiceNow. 


Note: While the Qualys KnowledgeBase has several thousand QIDs, this integration 
syncs only those QIDs that are related to WAS. 


2. Qualys Web Application Vulnerable Item Integration - Fetches all the WAS 
detections related to the configured account from the Qualys platform. 


3. Qualys Web Application List Integration — Fetches all the Web applications 
associated with the configured account from the Qualys platform. 


4. Qualys Web Application Scan Summary Integration - Syncs all the scans-related 
data associated with the configured account from the Qualys platform. 


SEFVICENOW. serviceManagement @ vmnoe- QR E® BF 
Filter navigato =Æ Application Vulnerability Integrations | New | Search Name Y | Search 1 | to4of4 
Y All>Source integration = Qualys Web Application Security 
=Æ Name A =Æ Active = Source integration = Source Instance = Starttime = Next Integration = Runas 
Q g grati 
Home 
= ialys Web Application ys Web Application 
© — Quas KnowledgeBase integration false oa eau (empty) Qualys Web Application Vulnerable item.. (empty) 
Qualys WAS Intogration Securtty, n 
2 Qualys Web Application Qualys Web Application 
aerators @ Qualys Web Application List Intogration true ee aT (empty) Qualys KnowledgeBase Integration (empty) 
Tonig. Qualys Web Application Scan Summary. Qualys Web Application Qualys Web Application 
bå a © Integration e Security. Vulnerability Cy (empty) (empy) 
Qualys Credentials © Qualys Web Application Vulnerable Item S Qualys Web Application Qualys Web Application e Qualys Web Application Scan Summary E 
i x 
Integration Security Vulnerability " Inte. = 
WAS Detections Filter 
Actions on selected rows {v I | w40f4 
W Support 
README 0} 


Use these integrations to sync data from the Qualys platform to ServiceNow. Refer to the 
sections below for details on using these integrations. 
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Qualys WAS Integrations 
Using the Qualys WAS Integrations 


Using the Qualys WAS Integrations 


Access the Qualys Integrations page by navigating to the Qualys WAS Integration in the 
left panel and then clicking Integrations. To configure/run an integration, select the 
integration from the night pane. 


= Application Vulnerability Integration + 
c= Qualys Web Application List Integration = ooo Execute Now M 4 


Q This record is in the Vulnerability Response Integration with Qualys WAS application, but Qualys CMDB Sync is the current application. To edit this record click here. 


Name Qualys Web Application List Integration 


Active Application Vulnerability Response Integration w! Q) 
Run Daily Source integration Qualys Web Application Security © 
Time 00:00:00 Source Instance Qualys Web Application Vulnerability © 


| Choose an integration to trigger automatically upon the completion of the current integration run. 


Next Integration Qualys KnowledgeBase Integration © 


| Where applicable, the next integration run pulls all data updated since this date. Each successful import resets this date to that day's date and time. When configuring the 
| integration for the first time, set this date to the earliest date you want to retrieve. 


Start time 


Note: The default Run for List Integration is set as Daily and default Time as 00:00:00. For 
the other three integrations the Run is set as On Demand. 


You can choose to run the integration using one of the following options: 
e Daily: Runs the integration daily at the configured time 
e Weekly: Runs the integration weekly at the configured time of the configured day 


e Monthly: Runs the integration monthly at the configured time of the configured 
month day 


e Periodically: Runs the integration at the configured interval 
e Once: Runs the integration only once at the configured date and time 
e On-Demand: Runs the integration only when the “Execute Now” button is hit 


e Business Calendar: Entry Start: Refer to the ServiceNow documentation for 
information on Business calendar. 


e Business Calendar: Entry End: Refer to the ServiceNow documentation for 
information on Business calendar. 
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Qualys WAS Integrations 
Using the Qualys WAS Integrations 


Sequence Integration Name Active Default Run Default Next Integration 
type Time (if 
applicable) 

1 Qualys Web true Daily 00:00:00 Qualys Knowledge Base 
Application List Integration 
Integration 

2 Qualys Knowledge false On-Demand NA Qualys Web 
Base Integration Application Vulnerable 

Item Integration 

3 Qualys Web false On-Demand NA Qualys Web 
Application Application Scan 
Vulnerable Item Summary Integration 
Integration 

4 Qualys Web false On-Demand NA NA 
Application Scan 
Summary 
Integration 


Note: As recommended by ServiceNow only 'Qualys Web Application List Integration' is 
kept active and other integrations are inactive, to let the customer add remediation rules, 
assignment rules etc for AVR. Customers can enable the inactive integrations once they 
have added desired rules. 


The Start Time field defines the time after which the data needs to be synced from the 
Qualys platform. The blank field during the first run indicates that the integration would 
sync all data from the platform during the first run. All subsequent runs of the integration 
will only sync data post this start time. 


Note: It is recommended to keep the Start Time field empty for the very first integration 
run of Qualys Web Application Vulnerable Item Integration, so that the application can 
sync all the vulnerabilities appropriately. 


Note: Qualys recommends not making changes to the Integration Details section. 


Click the Execute Now button when you are ready to run the integration or click Update 
to run the integration as per the defined schedule. 


q 


The Vulnerability Integration Runs tab at the bottom summarizes each integration run. 
This section displays the status of the integration runs and also informs the number of 
records synced between the Qualys Platform and ServiceNow. 


F 
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Viewing Qualys WAS Data in ServiceNow 
Viewing Web Application List Data in ServiceNow 


Viewing Qualys WAS Data in ServiceNow 


The ServiceNow Application Vulnerability Response (AVR) app helps you view all your 
application vulnerability on a single page. With the Vulnerability Response Integration for 
Qualys WAS app, you can view all your Qualys WAS data from the Qualys platform on the 
ServiceNow Application Vulnerability Response page. 


Viewing Web Application List Data in ServiceNow 


To view a list of Web Applications in ServiceNow, navigate to Application Vulnerability 
Response > Administration > Applications. 


SEFVICENOW. service Management @ mice QUO S | 
application = Scanned Applications Search Name M arch 1 tol2of12 
Ga F al 
& * acai: 
bre) Q =Name a = Department = Business unit = Support group = Version = Operational status = Source 
Assigned to Me 
A Regular Perimeter Scan 
@ — Acunetix Baby Care Baby Care Team Nova = Operational Veracode 
m 
Assigned to My Groups 
Regular Perimoter Scan 
p @  BitcoinWebsite Hair Care Hair Care Team Fireball Comets a Operational Voracode | 
( 
s | 
V Administration @ CommonsiOTest BabyCare Baby Care Team invaders 29 Apr 2020 Static Operational Veracode | 
| 
Applications © ma Skin Care Skin Care Team Mars DWWA-Scan Operational Voracode 
meni Regular Perimeter Scan 
Spana Seim © Google Gruyere Skin Care Skin Care Team venus na ai Operational Veracode | 
(5) 
Vulnerability Calculators Eu bomen | 
@  Hackazon Hair Care Hair Care Team Falcons m Operational Veracode 
Remediation Target Rules 
> Regular Perimeter Scan 
@ Hadoop Hair Care Hair Care Team Oculus á Operational Voracode 
Integrations (8) 
Regular Perimeter Scan 
Normalized Severity Maos @®  Netsparker Skin Care Skin Care Team Pheonix = Operational Veracode 
nm gular Perimeter Sı 
(A) Public Firing Range Baby Care iCare Team Eagles RegderPerimeterscan as Veracode 


Filter by “Qualys” on the Source column to view applications scanned by Qualys. 


Refer to the Field Mappings Table section for information on how Qualys WAS fields are 
mapped to fields in ServiceNow. 
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Viewing Qualys WAS Data in ServiceNow 
Viewing Web Application Vulnerable Item in ServiceNow 


Viewing Web Application Vulnerable Item in ServiceNow 


To view a list of web application detections in ServiceNow, navigate to Application 
Vulnerability Response > Vulnerable Items. Here you can use any of the pages that show 
the vulnerabilities based on assignee filters. 


SEFVICENOW. Service Management @ jorntooy QAOS 
application Scanned Applications Search Name hd arch 1 tol2of12 
2 ai 
a * y 
Q =Æ Name a = Department = Business unit = Support group = version = Operational status = Source 
Assigned to Me 
~ Regular Perimeter Scan 
@  Aunetix Baby Care Baby Care Team Nova m Operational Veracode 
Assigned to My Groups : 
Regular Perimeter Scan 
= ®©  Bitcoin Website Hair Care Hair Care Team Fireball Comets Pat Operational Veracode 
a 
V Administration @  CommonsiOTest BabyCare Baby Care Team Invaders 29 Apr 2020 Static Operational Veracode 
Applications © ma Skin Care Skin Care Team Mars DYWA-Scan Operational Veracode 
g è ~ Regular Perimeter Scan 
oeenn © GoogleGruyere skin Care Skin Care Team venus "o atersan Operational veracode 
Vulnerability Calculators 
Regular Perimeter Scan 
© Hackazon Hair Care Hale Care Team Falcons i 7 Operational Veracode 
Remediation Target Rules 
n i Regular Perimeter Scan 
@ Hadoop Hair Care Hale Care Team Oculus Operational Veracode 
Integrations 8) 
Regular Perimeter Scan 
EAA Severe aan @ —Netsparker Skin Care Skin Care Team Pheonix i ay Operational Veracode 
> Regular Perimeter Scan 
G) Public Firing Range Baby Care Baby Care Team Eagles et Operational Veracode ba | 


Filter by “Qualys” on the Source column to view detections identified by Qualys. 
Refer to the Field Mappings Table section for information on how Qualys WAS fields are 
mapped to fields in ServiceNow. 


Viewing Qualys KnowledgeBase Data in ServiceNow 


To view Qualys KnowledgeBase data in ServiceNow, navigate to Application Vulnerability 
Response > Libraries > Third-Party. 


SETVICENOW Service Management oe ea Q = OE 
| 
application = Application Vulnerability Entries Search for text Y Soarch 1 to200%50 > >> Jj 
G Fm 
, 
w y means oS Q =10 = Category name = Source 
dl @ —_Veracode-12 cwe-780 Cryptographic Issues Veracode 
P> Administration @ —_ Weracose-8 CWE-611 Information Leakage Veracode 
Y ubas @  Veracode-28 CWE-99 Code Injection Veracode 
NVD N | 
i Yeracode-1 CWE-73 Directory Traversal Veracode 
OWE R 
© Yeracode-28 CWE-95 Code Injection Veracode 
Third-Party 
@ _ Weracoste-28 CWE-830 Code injection Veracode 
Security Operations 
@ —_ Weracode-12 Cwe-331 Cryptographic Issues Veracode 
V Utilities 
@ —_Veracode-8 CwE-201 Information Leakage Veracode 
SecOps Application Registry 
© @  Meracode-21OWE-113 CRLF Injection Veracode 
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Viewing Qualys WAS Data in ServiceNow 
Viewing Web Application Scan Summary data in ServiceNow 


Filter by “Qualys” on the Source column to view the Qualys KnowledgeBase records. 


Refer to the Field Mappings Table section for information on how Qualys WAS fields are 
mapped to fields in ServiceNow. 


Viewing Web Application Scan Summary data in ServiceNow 


ServiceNow Application Vulnerability Response app currently does not offer a screen to 
view Qualys web application scan summary data. The Qualys web application scan 
summary data is currently stored in the sn_vul_app_vul_scan_summary table of ServiceNow. 


Refer to the Field Mappings Table section for information on how Qualys WAS fields are 
mapped to fields in ServiceNow. 
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Field Mappings Table 
Qualys KnowledgeBase Integration 


Field Mappings Table 


The Vulnerability Response Integration with Qualys WAS app maps fields from the Qualys 
WAS APIs to the fields on the ServiceNow AVR app. This section details how the fields 
from the WAS API are mapped to corresponding fields on the ServiceNow AVR UI. 


Qualys KnowledgeBase Integration 


The Qualys KnowledgeBase Integration syncs data from the Qualys platform to the 
sn_vul_app_vul_entry table of ServiceNow. The following table shows the mapping 
between Qualys and the ServiceNow UI: 


Field in Qualys WAS API Response Corresponding Field on Expected Values 

XML ServiceNow UI 

<QID> ID vuln gid 

<SEVERITY_LEVEL> Source Severity vuln severity level 
<VECTOR_STRING>CVSS:2.0/AV:N/A Access complexity (v2) AC: High (H), Medium (M), Low (L) 
G:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RC: 

C</VECTOR_STRING> 

<VECTOR_STRING>CVSS:2.0/AV:N/ Access vector (v2) AV: Local (L), Adjacent Network 
AC:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RC (A), Network (N) 
:C</VECTOR_STRING> 

<VECTOR_STRING>CVSS:2.0/AV:N/A Authentication (v2) Au: M (multiple), Single (S), None 
C:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RC: (N 

C</VECTOR_STRING> 

<VECTOR_STRING>CVSS:2.0/AV:N/A Confidentiality impact C: None (N), Partial (P), Complete 
C:L/Au:N/G:P/I:N/A:N/E:U/RL:W/RC: (v2) -C 

C</VECTOR_STRING> 

<VECTOR_STRING>CVSS:2.0/AV:N/A Integrity impact (v2) C: None (N), Partial (P), Complete 
C:L/Au:N/C:P/T:N/A:N/E:U/RL:W/RC: -C 

C</VECTOR_STRING> 

<VECTOR_STRING>CVSS:2.0/AV:N/A Availability impact (v2) A: None (N), Partial (P), Complete 
C:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RC: -C 

C</VECTOR_STRING> 

<VECTOR_STRING>CVSS:2.0/AV:N/A Remediation level (v2) RL: Official Fix (OF), Temporary 
C:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RCG: Fix (TF), Workaround (W), 
C</VECTOR_STRING> Unavailable (U) 
<VECTOR_STRING>CVSS:2.0/AV:N/A Report confidence (v2) RC: Confirmed - C, 
C:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RG: Uncorroborated (UR), 
G</VECTOR_STRING> Unconfirmed (UC) 

<CVSS> Exploitability subscore 

5 (v2) 

<EXPLOITABILITY>1</EXPLOITABILI 

TY> 

</CVSS> 
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Field in Qualys WAS API Response 
XML 


Corresponding Field on 
ServiceNow UI 


Field Mappings Table 
Qualys KnowledgeBase Integration 


Expected Values 


<PUBLISHED_DATETIME> 


Date published 


Date on which the vuln 
published 


<SOLUTION> Mitigation description Description of the steps to 
address the vuln 

<TITLE> Name 

<DIAGNOSIS> Short description 

<SOLUTION> Remediation notes 

<DIAGNOSIS> Threat 

<CVSS> Temporal score (v2) CVSS v2 temporal score 
<TEMPORAL> 

</ CVSS> 

<CVSS_V3> Temporal score (v3) CVSS v3 temporal score 


<TEMPORAL>4.7</TEMPORAL> 


</CVSS> 
<CVSS_V3> Vulnerability score (v3) 
<BASE>5.3</BASE> 
</CVSS> 
<CVSS> Vector string (v2) CVSS v2 vesctor string 


<VECTOR_STRING> 
</VECTOR_STRING> 


</CVSS> 


<CVSS_V3> 


<VECTOR_STRING></VECTOR_STRI 
NG> 


</CVSS> 


Vector string (v3) 


CVSS v3 vesctor string 


<VECTOR_STRINGSCVSS:3.0/AV:N/A 
C:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/ 
RL:W/RC:C</VECTOR_STRING> 


Attack complexity (v3) 


AC: High (H), Low (L) 


<VECTOR_STRINGSCVSS:3.0/AV:N/ 
AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/ 
RL:W/RC:C</VECTOR_STRING> 


Attack vector (v3) 


AV: Network (N), Adjacent (A), 
Local (L), Physical (P) 


<VECTOR_STRINGSCVSS:3.0/AV:N/A 
C:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/ 
RL:W/RC:C</VECTOR_STRING> 


Availability impact (v3) 


A: None (N), High (H), Low (L) 
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Field in Qualys WAS 
XML 


API Response 


Field Mappings Table 


Qualys Web Application Vulnerable Item Integration 


Corresponding Field on 
ServiceNow UI 


Expected Values 


<VECTOR_STRING>CVSS:3.0/AV:N/A Confidentiality impact C: None (N), High (H), Low (L) 
C:L/PR:N/UI:N/S:U/G:L/I:N/A:N/E:U/ (v3) 
RL:W/RC:C</VECTOR_STRING> 
<VECTOR_STRING>CVSS:3.0/AV:N/A Exploit code maturity E: Not Defined (X), Unproven (U), 
C:L/PR:N/ULN/S:U/C:L/I:N/A:N/E:U/ (v3) Proof-of-Concept (P), Functional 
RL:W/RC:C</VECTOR_STRING> (F), High (H) 
<VECTOR_STRING>CVSS:3.0/AV:N/A Integrity impact (v3) : None (N), High (H), Low (L) 
C:L/PR:N/ULN/S:U/C:L/1:N/A:N/E:U/ 
RL:W/RC:C</VECTOR_STRING> 
<VECTOR_STRING>CVSS:3.0/AV:N/A Privileges required (v3) PR: None (N), High (H), Low(L) 
C:L/PR:N/UI:N/S:U/C:L/1:N/A:N/E:U/ 

L:W/RC:C</VECTOR_STRING> 
<VECTOR_STRING>CVSS:3.0/AV:N/A Remediation level (v3) RL: Not Defined (X), Official Fix 
C:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/R O), Temporary Fix (T), 
L:W/RC:C</VECTOR_STRING> Workaround (W), Unavailable (U) 
<VECTOR_STRING>CVSS:3.0/AV:N/A Report confidence (v3) RG: Not Defined (X), Unknown 
C:L/PR:N/UL:N/S:U/C:L/I:N/A:N/E:U/R (U), Reasonable (R), Confirmed 
L:W/RG:G</VECTOR_STRING> (©) 
<VECTOR_STRING>CVSS:3.0/AV:N/A Scope change (v3) S: Unchanged (U), Changed (C) 
C:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/ 
RL:W/RC:C</VECTOR_STRING> 
<VECTOR_STRING>CVSS:3.0/AV:N/A User interaction (v3) UI: None(N), Required (R) 

PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/ 


C:L/PR: 
RL:W/RC:C</VEC 


OR_STRING> 


Qualys Web Application Vulnerable Item Integration 


The Qualys Web Application Vulnerable Item Integration syncs data from the Qualys 
platform to the sn_vul_app_vulnerable_item table of ServiceNow. The following table 
shows the mapping between Qualys and the ServiceNow UI: 


Field in Qualys 


Corresponding Field on Expected Values 


WAS API Response ServiceNow UI 
XML 
Source Application ID Web app ID 


<webApp> 


<id>web_app_id</ 
id> 


</webApp> 
<uniqueld> Source AVIT ID unique Id from API response 
<qid> Vulnerability 


source_scan_id 


Source Scan ID 
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Field in Qualys 


Field Mappings Table 
Qualys Web Application Vulnerable Item Integration 


Corresponding Field on Expected Values 


WAS API Response ServiceNow UI 

XML 

<severity> Source Severity Severity of the vuln detection (1 to 5) 
<webApp> Application Release Web app name 
<name>web_app_ 

name</name> 

</webApp> 

<firstDetectedDat First Found 

e> 

<lastDetectedDate Last Found 

> 


Deferral date 


ignore_date 


Deferral notes 


ignore_reason 


<lastTestedDate> Last Scan Date Note: Qualys WAS stores this time in the UTC 
format. The integration converts this UTC time into 
the time zone configured for this ServiceNow 
instance. 
Last Opened Note: This field is populated based on when the 
record was synced from the Qualys platform to 
ServiceNow. This field is populated by ServiceNow 
and does not correspond to a field in Qualys. 
Scan summary name Scan summary name from 
sn_vul_app_vul_scan_summary table 
Name Short Description Combination of QID and Web App name 
Source Qualys (Hardcoded) 
Source Request 
<PayloadInstance 
> 
<payload> + 
<request> 
</PayloadInstance 
> 
<response> Source Response 
Source link Link to finding on Qualys UI. This field is generated 
by ServiceNow AVR. 
<PayloadiInstance Location 
> 
<request> 


<link> </link> 
</PayloadInstance 
> 
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Field Mappings Table 


Qualys Web Application List Integration 


Field in Qualys Corresponding Field on Expected Values 
WAS API Response ServiceNow UI 
XML 
<Finding> Summary QID title 
<name> 
qid_title 
</name> 
</Finding> 
from KB to AVIT Vulnerability QID title (from KB) 
table Summary 
from KB to AVIT Vulnerability DIAGNOSIS from QID (KB) 
table explanation 
from KB to AVIT Recommendation SOLUTION from QID (KB) 


table 


<status> 


Source Remediation 
Status 


Status of the respective detections 


Note: STATE and REASON fields are mapped based on ‘Source Remediation Status’ field 
and sn_vul_app_state_map table. 


Qualys Web Application List Integration 


The Qualys Web Application List Integration syncs data from the Qualys platform to the 
sn_vul_app_scanned_application table of ServiceNow. The following table shows the 
mapping between Qualys and the ServiceNow UI: 


Field in Qualys WAS Corresponding Field on ServiceNow UI Expected Values 
API Response XML 
<WebApp> Name Web app name 
<name>web_app_ 
name</name> 
</WebApp> 
<WebApp> Source Application ID Web app ID 
<id>web_app_id</ 
id> 
</WebApp> 

Source Qualys (Hardcoded) 
<url> Description Web app URL 
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Field Ma 


ppings Table 


Qualys Web Application Scan Summary Integration 


Qualys Web Application Scan Summary Integration 


The Qualys Web Application Scan Summary Integration syncs data from the Qualys 
platform to the sn_vul_app_vul_scan_summary table of ServiceNow. The following table 
shows the mapping between Qualys and the ServiceNow table: 


Field in Qualys 


Corresponding Field Expected Values 


WAS API Response on ServiceNow UI 
XML 
<WasScan>.. Source Scan ID WAS Scan ID 
<id></id>.. 
</WasScan> 
<WasScan>.. Scan Summary Name WAS Scan Name 
<id></id> 
<name> 
</name>.. 
</WasScan> 
<webApp>.. Application Release Web app name 
<name></name>.. 
</webApp> 
launchedDate Last Scan date Note: Qualys WAS stores this time in the UTC 
format. The integration converts this UTC time into 
the time zone configured for this ServiceNow 
instance. 
launchedDate Last Dynamic Scan Note: Qualys WAS stores this time in the UTC 


Date format. The integration converts this UTC ti 


me into 


the time zone configured for this ServiceNow 


instance. 
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Known Issues/Limitations 


Known Issues/Limitations 


e Qualys WAS module does not support ‘Sensitive Content’ and ‘Potential’ as 
a vulnerability type for non-qualys (eg. Burp, Bugcrowd) detections. 


e Qualys WAS API returns 0 detections for 'Information_Gathered' 
vulnerability type for non-qualys (eg. Burp, Bugcrowd) detections. 


e ServiceNow Vulnerability Response Integration with Qualys WAS app might 
face issues with connectivity to Qualys platform if the ServiceNow instance 
is missing Key Management Framework plugin on Quebec version. Make 
sure your ServiceNow instance has the latest patch installed on it. 


e Ifyou try to pull the already existing detections having a Deferred state or a 
False Positive state when the Triaging is enabled, the whole batch of the API 
responses will fail to update in the table (sn_vul_app_vulnerable_item), 
resulting in the loss of data. This is a known issue for ServiceNow 
Vulnerability Response Application. Ref. ticket PRB - PRB1564344 
[support.servicenow.com]. 


e As per the design of the ServiceNow Vulnerability Response application, 
Web application name records in the table 
(sn_vul_app_scanned_application) will not be updated even if the fields 
(such as application name and URL) are updated from the Qualys UI. 
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